Privacy-enhanced credential services

The use of credential directories in PKI and authorization systems such as Shibboleth introduces a new privacy risk: an insider at the directory can learn much about otherwise protected interactions by observing who makes queries, and what they ask for. Recent advances in Practical Private Information Retrieval provide promising countermeasures. In this paper, we extend this technology to solve this new privacy problem, and present a design and preliminary prototype for a LDAP-based credential service that can prevent even an insider from learning anything more than the fact a query was made. Our preliminary performance analysis suggests that the complete prototype may be suciently robust for academic enterprise settings.

[1]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[2]  William M. Daley,et al.  Security Requirements for Cryptographic Modules , 1999 .

[3]  Sean W. Smith,et al.  Practical server privacy with secure coprocessors , 2001, IBM Syst. J..

[4]  Vincent G. Winters Minimal perfect hashing in polynomial time , 1990, BIT Comput. Sci. Sect..

[5]  Johann-Christoph Freytag,et al.  Almost Optimal Private Information Retrieval , 2002, Privacy Enhancing Technologies.

[6]  Sean W. Smith,et al.  Building a high-performance, programmable secure coprocessor , 1999, Comput. Networks.

[7]  Abraham Waksman,et al.  A Permutation Network , 1968, JACM.

[8]  Silvio Micali,et al.  Computationally Private Information Retrieval with Polylogarithmic Communication , 1999, EUROCRYPT.

[9]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[10]  Clifford Stein,et al.  Introduction to Algorithms, 2nd edition. , 2001 .

[11]  Stefan A. Brands,et al.  A Technical Overview of Digital Credentials , 2002 .

[12]  Bennet S. Yee,et al.  Using Secure Coprocessors , 1994 .

[13]  Masayuki Abe,et al.  Remarks on Mix-Network Based on Permutation Networks , 2001, Public Key Cryptography.

[14]  Johann-Christoph Freytag Private Information Retrieval, Optimal for Users and Secure Coprocessors , 2002 .

[15]  Sean W. Smith Outbound authentication for programmable secure coprocessors , 2004, International Journal of Information Security.

[16]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[17]  Eyal Kushilevitz,et al.  Private information retrieval , 1995, Proceedings of IEEE 36th Annual Foundations of Computer Science.

[18]  Martin Nemzow,et al.  Rethinking Public Key Infrastructures and Digital Certificates and Privacy , 2001 .

[19]  Clifford Stein,et al.  Introduction to algorithms. Chapter 16. 2nd Edition , 2001 .

[20]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .